cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2873
Views
10
Helpful
1
Replies

FMC - Access Control Policy / Advanced Tab

GRANT3779
Spotlight
Spotlight

I'm looking through my ACP within FMC and I see the following under the Advanced Tab -

 

Advanced Tab.PNG

 

For the top option, what is best practise to set? This looks to me as if whatever is configured here will be processed before the actual ACP rules?

Is this right (and what is the point)?

 

Also, the bottom option, Default Network Analysis Policy - What exactly is this for? Just trying to understand why these need to be configured at all?

Thanks

1 Reply 1

yogdhanu
Cisco Employee
Cisco Employee

Hello There,

 

What does intrusion poliocy before ACP do

The intrusion policy is  used to initially inspect traffic before the system can determine exactly how to inspect that traffic.

 

Why it makes sense

Basically there are some part of packet which can be checked by this intrusion policy while the system checks other parameteres to decide which rule in ACP would be used. As even before access control policy is used, packet would be decoded, run through inline normalization (if enabled from NAP) , run through security intelligence and SSL decryption.

 

This is needed because sometimes the system must process the first few packets in a connection, allowing them to pass, before it can decide which access control rule (if any) will handle the trafficA default intrusion policy is especially useful when performing application control and URL filtering, because the system cannot identify applications or filter URLs before a connection is fully established between the client and the server.No Rules Active is the default intrusion policy for an access control policy where you first chose the Block all traffic or Network Discovery default action. Although choosing this option disables intrusion inspection on the allowed packets described above, it can improve performance if you are not interested in intrusion data.

 

In order to determine for example a Facebook application few first packets of stream have to be allow besides of action Block or Allow. The "Intrusion Policy used before Access Control Rule is determined" is use in order to inspect those first packets.

Assume situation that you added one rule which is blocking Facebook application and you do not have 'Intrusion Policy used before Access Control Rule is determined' configured (No Rules Present). In this scenario the few packet will be allowed (in order to determine Facebook application) but those few packets will be not inspected because you do not configured 'Intrusion Policy used before Access Control Rule is determined'.

 

What is network analysis policy (NAP)

For the Network analysis policy, this document should explain things in more detail.

https://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-firepower-module-user-guide-v541/NAP-Getting-Started.pdf

 

Rate if helps.

 

Yogesh

 

Review Cisco Networking for a $25 gift card